Codenomicon helped identify and a critical flaw in widely-used encryption software. A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and DTLS can be exploited in a denial of service attack on both client and server software. The flaw was found with Fuzz-o-Matic, a cloud-based testing platform.


The TLS security protocol is the current Internet standard for encrypting and authenticating application traffic. TLS is used by millions of people every day in online banking, e-commerce, email, and Voice-over-IP applications.

The OpenSSL is an open-source implementation of TLS and is employed in standard operating systems, web browsers, email clients, and network devices ranging from WiFi access points and DSL modems to industrial-strength core routers.

"Cloud-based security testing is the future of outsourced penetration tests, and this is clear proof of the success of Fuzz-o-Matic", said Antti Häyrynen, Senior Security Reseacher and the lead developer of the Fuzz-o-Matic platform.

Fuzz-o-Matic is a platform that can run both Codenomicon Defensics and a wide range of other fuzzing tools and platforms available in the industry. The users of Fuzz-o-Matic upload their software to the cloud-based service, where the leading experts of the industry choose and configure all tools and start the tests. Fuzz-o-Matic customers will get email notifications on all found vulnerabilities, and can login into the system to download test results.